SaRB for SMO's blog pages are 3000-4500 words, non-subscribers only have access to 800-1000 words.

(Reading time: 8 - 16 minutes)

Authentication for Small Organisations


Biometric Authentication

Many Small Organisations will use a vast host of online and offline services where they are required to login to prove who they are. That process of validation is called authentication, and all services are restricted until a user has authenticated themselves to the system. Unfortunately, not all forms of authentication are completely secure. In this blog we explore the various methods open to Small Organisations and what they should use and what to avoid when it comes to authentication.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

 Glossary Terms in this Blog Article - hover to view, click for full glossary.


Introduction to authentication for Small Organisations

Today we're going to be looking at authentication, what it is, why you should use it, what the different types are, and why it is important for Small Organisations - making sure that you get beyond the basic types of authentication and you use the right type of authentication in the right place in the right circumstances for your Organisation to remain secure.

Default sample awareness and knowledge infographic

What is authentication and why do we need it?

Authentication is the process used to identify who you are to a device or system which will then allow us access to that device or system. We normally associate authentication with the username and password.

It's quite possible to set up an entire Organisation where you turn on your computers, your phones, tablets - any device - and never be asked to authenticate. The device logs you straight in and you have immediate access to all your systems.

But that is really dangerous, especially with online access. You need to be able to prove who's in front of the device or machine and who's using what. The current simplest way is a username and password which been the case for decades. That has worked up to a point, but now with the internet and everything moving online and remote working, it's no longer enough.

Now we need an extra form of authentication, sometimes known as two factor or multi-factor. For this, not only do you need to know that the username and password, you need to have something else. Whether that something else is a device or a token or your face or a fingerprint depends on the system. But the main thing is, no one can copy it as easily as they could by just writing down your username and password.

Someone can be in any other country and access your email system if all you're protecting it with is an email and password. They can try to guess it or use automated bots or password dictionaries to try and work out what your password is. Or, if you reuse your password, enter it based on accounts that have been hacked and breached; which is a common scenario these days.

Types of authentication

User name and password is the most commonly known authentication and often the one that is used as a single factor authentication.

"For years people have been using multi-factor authentication and not realised it - this is in the form of their bank cashpoint or automated dispensing machine card."

For years people have been using multi-factor authentication and not realised it - this is in the form of their bank cashpoint or automated dispensing machine card. The card itself and the pin code are the two factors that you need to use. You need to have the card there physically, and you need to know the number to use the card; you can't just use one without the other. That is one type of multi-factor authentication that people have used and not realised that is what it was.

Other types of authentication include biometrics. For example, to be able to use a mobile device you might have fingerprint or facial recognition, which are both biometric. There are lots of other scenarios where biometric authentication can used to give people access.

Card entry systems are another type of authentication which I won't go into, as most people are familiar with them.

Default sample Threat Map infographic

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 

Actions and Activities

Now, on SaRB for SMOs:

  • Help us to help you by completing our short poll on this topic (only available when article is published).
  • Let us know which FAQs you would like us to answer.

Later, in your Organisation:

  • Complete Board level Policy Review
  • Update Policy
  • Present to the Board for Agreement

Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.

Follow-up Resources:

Virtually Informed Resources:

  • Glossary - at the top of this blog article (link to items).
  • Infographics (Downloadable in the week of publication).
  • Download Items - Policy Templates, etc. (Downloadable in the week of publication).
  • FAQ’s (Available soon).
  • Blog articles (link to items )
  • How To articles (links only available to Premium subscribers).
  • Other content (available soon)

External Resources:

  • Ponemon Institute Survey
  • Other Survey information